kernel-netlink: install selectors on SA for transport/BEET mode without proto/port

If a transport/BEET SA has different selectors for different proto/ports, installing just the proto/port of the first SA would break any additional selector.
author: Martin Willi <martin@revosec.ch> 2013-06-05 11:39:35 +0200
committer: Martin Willi <martin@revosec.ch> 2013-06-19 16:36:01 +0200
commit: 3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8 (patch)
tree: 53e7c6d983baecf8b3506ee7774ec3c6e8246179 /src
parent: 4a7c29bf0231e23841fb4ea7693a11bbb9f262a8 (diff)
download: strongswan-3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8.tar.bz2
strongswan-3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 47e725c1c..2f8cb6b3e 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1224,6 +1224,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
+				/* don't install proto/port on SA. This would break
+				 * potential secondary SAs for the same address using a
+				 * different prot/port. */
+				sa->sel.proto = 0;
+				sa->sel.dport = sa->sel.dport_mask = 0;
+				sa->sel.sport = sa->sel.sport_mask = 0;
 			}
 			break;
 		default:
author	Martin Willi <martin@revosec.ch>	2013-06-05 11:39:35 +0200
committer	Martin Willi <martin@revosec.ch>	2013-06-19 16:36:01 +0200
commit	3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8 (patch)
tree	53e7c6d983baecf8b3506ee7774ec3c6e8246179 /src
parent	4a7c29bf0231e23841fb4ea7693a11bbb9f262a8 (diff)
download	strongswan-3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8.tar.bz2 strongswan-3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8.tar.xz